CONTEXT
I have an VPN connection between 2 ASA-5515's set up between our main site and new back up site. This is to replace our old backup site we have which is currently connected between an ASA-5515(Main Site) and FreeBDS using Racoon.
PROBLEM
The file transfer speeds between the 2 ASA-5515's is half that of the connection between ASA-5515 to FreeBDS connection.
EXPECTATIONS
My expectations is that the speeds should be around the same if not better as the old backup site is based in France and the new backup site is based in the UK where our main site is based.
INVESTIGATION
I have transferred files from one server to another whilst doing some Disk R/W testing and have ruled out that this is to do with disk R/W speed issues.
I have also performed this test against both old and new backup sites:
root@main_site_server:# dd if=/dev/zero bs=1M count=10240 | ssh server@backup 'cat > /dev/null'
(https://www.commandlinefu.com/commands/view/5799/test-network-speed-without-wasting-disk)
transfer from primary_site to new_backup_site
10240+0 records in
10240+0 records out
10737418240 bytes (11 GB) copied, 351.285 s, 30.6 MB/s
transfer from primary_site to old_backup_site
0240+0 records in
10240+0 records out
10737418240 bytes (11 GB) copied, 189.332 s, 56.7 MB/s
My suspicions lie with maybe how the site-to-site VPN is configured.
The only differences between the site-to-site configurations is that one of the backup sites is configured with NAT exemption and configured with unlimited traffic volume (as apposed to 4608000) under SAL as well as being priority 7 (as apposed to 5) in its cypto-map entry.
QUESTION
My question is would you expect any of these settings to have that much of an impact on transfer speed?
TECHNICAL
All servers are connected via the following Cisco switch model ws-c2960x-48ts-l
CONFIGURATION (These have been cleansed as much as I can)
main site router configuration (Cisco ASA-5515)
ASA Version 9.8(2)
!
interface GigabitEthernet0/0
description Link to redstation
nameif outside
security-level 0
ip address <maindatacenter_external_ip> standby <main_site_secondary_ip>
!
interface GigabitEthernet0/1
description prodsw - internal
nameif inside
security-level 100
ip address <maindatacenter_gateway_ip> standby <main_site_secondary_gateway_ip>
!
interface GigabitEthernet0/2
description prodsw - dmz
nameif dmz
security-level 50
ip address <maindatacenter_dmz_gateway_ip> standby <main_site_dmz_secondary_gateway_ip>
!
boot system disk0:/asa982-smp-k8.bin
!
object network network_internal
subnet <main_site_internal_network>
!
object network <old_backup_internal>
subnet <old_backup_internal_network>
!
object network <new_backup_internal>
subnet <new_backup_internal_network>
object network NETWORK_OBJ_<main_site_internal_network>
subnet <main_site_internal_network>
object network <new_backup_external>
host <new_backup_external_ip>
!
group-object hostgroup_connect
network-object object <old_backup_internal>
network-object object <new_backup_internal>
!
object-group network hostgroup_ike_peers
network-object object <new_backup_external>
!
access-list outside_cryptomap_1 extended permit ip object network_internal object <old_backup_internal>
!
access-list outside_cryptomap_4 extended permit ip object network_internal object <new_backup_internal>
!
access-list inside_access_in extended permit ip any any
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,any) source static network_internal network_internal destination static no_nat no_nat no-proxy-arp route-lookup
nat (dmz,any) source static network_internal network_internal destination static no_nat no_nat no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
nat (dmz,outside) source dynamic any interface
nat (inside,outside) source static network_internal network_internal destination static <new_backup_internal> <new_backup_internal>
!
access-group outside_access_in in interface outside control-plane
access-group outside_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_in in interface dmz
!
route outside 0.0.0.0 0.0.0.0 <main_site_external_ip> 1
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
!
crypto map outside_map 5 match address outside_cryptomap_1
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer <old_backup_external_ip>
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
!
crypto map outside_map 7 match address outside_cryptomap_4
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer <new_backup_external_ip>
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 7 set security-association lifetime kilobytes unlimited
!
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint6
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
error-recovery disable
!
tunnel-group <old_backup_external_ip> type ipsec-l2l
tunnel-group <old_backup_external_ip> general-attributes
default-group-policy GroupPolicy_Backup
tunnel-group <old_backup_external_ip> ipsec-attributes
ikev1 pre-shared-key
!
tunnel-group <new_backup_external_ip> type ipsec-l2l
tunnel-group <new_backup_external_ip> general-attributes
default-group-policy GroupPolicy_<new_backup_external_ip>
tunnel-group <new_backup_external_ip> ipsec-attributes
ikev1 pre-shared-key
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
: end
new backup router configuration (Cisco ASA-5515)
Result of the command: "show running-config"
: Saved
:
ASA Version 9.1(1)
!
interface GigabitEthernet0/0
description LINK TO WAN
nameif outside
security-level 0
ip address <newbackup_external_ip>
!
interface GigabitEthernet0/1
description LINK TO LAN
nameif inside
security-level 100
ip address <newbackup_gateway_ip>
!
ftp mode passive
!
object network my-inside-net
subnet <newbackup_internal_network>
object network <maindatacenter_internal_network>
subnet <maindatacenter_internal_network>
object network <maindatacenter_external_ip>
host <maindatacenter_external_ip>
object network NETWORK_OBJ_<newbackup_internal_network>
subnet <newbackup_internal_network>
object network <oldbackup_internal_network>
subnet <oldbackup_internal_network>
object network <oldbackup_external_ip>
host <oldbackup_external_ip>
object-group service 4500 udp
description port 4500 adsm
port-object eq 4500
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
access-list OUTSIDE-IN extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list OUTSIDE-IN extended permit ip any any
access-list outside_cryptomap_1 extended permit ip <newbackup_internal_network> object <maindatacenter_internal_network>
access-list inside_access_in extended permit ip <newbackup_internal_network> object <maindatacenter_internal_network>
access-list inside_access_in extended permit ip <newbackup_internal_network> object <oldbackup_internal_network>
access-list inside_access_in extended permit ip object <maindatacenter_internal_network> <newbackup_internal_network>
access-list inside_access_in extended permit ip object <oldbackup_internal_network> <newbackup_internal_network>
access-list inside_access_in extended permit ip object <maindatacenter_internal_network> object my-inside-net
access-list inside_access_in extended permit icmp any object <maindatacenter_internal_network> object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit ip any any
access-list global_access extended permit ip object <maindatacenter_internal_network> interface inside
access-list outside_access_in extended permit udp object <maindatacenter_external_ip> any eq isakmp
access-list outside_access_in extended permit udp object <oldbackup_external_ip> any eq isakmp
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip <newbackup_internal_network> object <oldbackup_internal_network>
!
mtu outside 1500
mtu inside 1500
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
!
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_<newbackup_internal_network> NETWORK_OBJ_<newbackup_internal_network>_24 destination static <maindatacenter_internal_network> <maindatacenter_internal_network> no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_<newbackup_internal_network> NETWORK_OBJ_<newbackup_internal_network>_24 destination static <oldbackup_internal_network> <oldbackup_internal_network> no-proxy-arp route-lookup
!
object network my-inside-net
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside control-plane
access-group OUTSIDE-IN in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 <newbackup_external_ip> 1
!
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer <maindatacenter_external_ip>
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set security-association lifetime kilobytes 2147483647
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer <oldbackup_external_ip>
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_<oldbackup_external_ip> internal
group-policy GroupPolicy_<oldbackup_external_ip> attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_<maindatacenter_external_ip> internal
group-policy GroupPolicy_<maindatacenter_external_ip> attributes
vpn-tunnel-protocol ikev1
!
tunnel-group <maindatacenter_external_ip> type ipsec-l2l
tunnel-group <maindatacenter_external_ip> general-attributes
default-group-policy GroupPolicy_<maindatacenter_external_ip>
tunnel-group <maindatacenter_external_ip> ipsec-attributes
ikev1 pre-shared-key
tunnel-group <oldbackup_external_ip> type ipsec-l2l
tunnel-group <oldbackup_external_ip> general-attributes
default-group-policy GroupPolicy_<oldbackup_external_ip>
tunnel-group <oldbackup_external_ip> ipsec-attributes
ikev1 pre-shared-key
!
class-map inspection_default
match default-inspection-traffic
!
: end
old backup router configuration (FreeBSD/Racoon)
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timers
{
counter 5;
interval 20 sec;
persend 1;
phase1 24 hour;
phase2 3600 sec;
}
listen
{
isakmp <old_backup_external_ip> [500];
isakmp_natt <old_backup_external_ip> [4500];
}
remote <main_site_external_ip> [500]
{
exchange_mode main;
situation identity_only;
my_identifier address <old_backup_external_ip>;
peers_identifier address <main_site_external_ip>;
lifetime time 24 hour;
passive off;
proposal_check obey;
generate_policy off;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
lifetime time 24 hour;
dh_group 2;
}
}
sainfo (address <old_backup_internal_network> any address <primary_site_internal_network> any)
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo (address <old_backup_internal_network> any address <internal_network_range> any)
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
remote <new_backup_external_ip> [500]
{
exchange_mode main;
situation identity_only;
my_identifier address <old_backup_external_ip>;
peers_identifier address <new_backup_external_ip>;
lifetime time 24 hour;
passive off;
proposal_check obey;
generate_policy off;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
lifetime time 24 hour;
dh_group 2;
}
}
sainfo (address <old_backup_internal_network>/24 any address <new_backup_internal_network> any)
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo (address <new_backup_internal_network>/24 any address <old_backup_internal_network> any)
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Best Answer
This IPSec configuration seems a bit loaded, for a simple site-2-site tunnel where one controls both ends.
I suggest the following proceeding
First: Be sure to understand if you're running IKEv1 or IKEv2 between these two ASAs. There's config bits and possible config leftovers from either. Remove the parts you're not using. Troubleshooting IPSec connectivity with one IKE variety is hard enough...
Second: Disable/remove ALL transform sets you don't actually want to use:
There's just no point in offering all of these during IKE negotiations and then having a hard time to find out which one is actually chosen, when the choice might have a performance impact, too. It becomes near impossible to analyze, compare and optimize if you don't control tightly which encryption and integrity/hashing algos are actually being used.
Suggestion: Err towards ESP-AES-xxx-SHA varieties, investigate if SHA2 is available on your ASA for both IKE profile and transform set, and up the bar on PFS resp. the DH group to 5, 14, or higher. Anything "DES", "3DES" and "MD5" should go away, these are obsolete (arguably SHA/SHA1, too).
Also: if possible, reduce to a single IKE policy, so there's no ambiguity whatsoever which one gets chosen.
Third: IPsec's packet overhead varies (up to 100+ bytes) with the encryption and hashing algos and the transports mechanisms that are being used (NAT-T, anyone?). The value for TCP MSS clamping will have to be set to a value that suits the remaining payload size.
Therefore: Determine your IPSec tunnel's MTU. Be sure to have identical IKE/IPSec configurations on both ends and have the tunnel come up. Also be sure to have df-bit-ignore or df-bit-clear set to off (
crypto ipsec df-bit copy-dfas per https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c5.html#pgfId-2356776), in extenso: The ASA should respect and keep the df-bit, and should not fragment packets that are too large to fit into the tunnel (having the ASA send back an "ICMP unreachable, Fragmentation needed" is optional for this test).Then, start sending pings to the remote site, with activated DF-bit and a specified packet size near the expected MTU. Increase/decrease the ICMP message size [2] until you find the maximum packet size that fits into the tunnel [3]. Do not use the ASA itself to send packets, use end systems in the LAN - results might be skewed if done from the ASA.
Fourth: To avoid fragmentation, set the TCP MSS clamping value to (at least) 40 bytes lower than the tunnel MTU you just established.
Starting from the assumption that there are full 1500 bytes of MTU between your sites, be sure to check if either site uses PPP (+8 bytes overhead) or (at least) one ASA is behind a NAT (then NAT-T kicks in, with another +8 bytes of overhead). TCP MSS clamping to 1380 bytes is probably allright, 1360 pretty certainly safe, while 1350 would be a very safe choice. However, 1400 might just not be low enough.
Eventually: Find out if your application is using UDP as transport. The access lists in your config seem to match on ip addresses only, but not on the L4 protocol. UDP can't be helped with TCP MSS clamping. There's only two things you can do for UDP:
crypto ipsec df-bit clear-dfso the ASA ignores the df bit and fragments the packets anyway before packing them into the tunnel. [4]The one thing that might work for UDP, but don't rely on it, because PathMDUd is not always reliable, is the following
crypto ipsec df-bit copy-dfand hope that it will send and ICMP fragmentation needed (Type 3, Code 4) message to the sending host AND that the host's IP and/or application stack will receive the message AND that application or IP stack honor the MTU suggestion the message contains. PathMTUd sometimes works, and sometimes it breaks, causing quite a set of mixed results.Addon For performance tests, I suggest to use a tool like iPerf in unidirectional UDP mode to pump traffic through the VPN tunnel from either side.
First Advantage: Detecting the (possible) directionality of the bandwidth/troughput/performance problem.
Unidirectional tests are important, since end-to-end MTU, network bandwidth and QoS topics like policing/shaping by the carrier) can be of unidirectional nature. Testing with TCP never quite lets you know exactly if something happened on the way there or on the way back.
Also see: Iperf results on UDP Bandwidth . Don't forget to limit the payload size used by iPerf in UDP mode to 28 bytes lower than MTU (with something like
-l 1372).Second advantage of not using TCP at first: UDP has no notion of flow control nor TCP window sizes and scaling therof. Since you're talking of .fr <-> .uk, bandwidth x delay product, network RTT and TCP Window Scaling can already be an important topic, which is - at first - best left aside.
Third: Testing the ASA's encryption performance. With UDP, there is no sendig rate adaption as with TCP. iPerf in UDP mode will just "blast" traffic at the given payload rate, not caring for packet loss nor overloaded links. So if you pump NN Mbit/s of UDP traffic into the ASA's inside interface, then NN+some Mbit/s (remember, up to 100bytes of IPsec overhead per packet) should come out of the ASA's outside/WAN interface. If it doesn't, then the given ASA's not up to the task. Try less computationally expensive crypto settings for comparison.
[2] Some ping implementations let you specifiy the size of the entire IP packet (including 20bytes of IP and 8 bytes of ICMP), while others take the command line parameter as the ICMP payload size (without headers). Be sure to squint well and play the +- 28bytes game to understand the given variety of ping before starting tests.
[3] Remember: a missing ping response does not tell if the packet's been lost on the way there OR on the way back. To be certain, run a packet-dump on the remote system to see if echo requests came through or if the echo replies left the remote system but got lost on the way back.
[4] Yes, this turns fragmentation back on, on the ASA. But since heavy payloads are usually done with TCP, and TCP is being taken care of by TCP MSS clamping, there's no harm in allowing the ASA to fragment